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In our exploratory quasi-experimental study, 480-student were recruited and 
exposed to social engineering directives during a university orientation 
week. The directives phishing attacks were performed for 10 months in 
2021. The contents attempted to elicit personal user-data from participants, 
enticing them to click compromised links. The study aimed to determine 


cybercrime risks among undergraduates in selected universities in Nigeria, 

observe responses to socially-engineered attacks, and explore their attitudes 
Keywords: to cybercrime risks before/after such attacks. The study generalized that all 
participants have great deal awareness of cybercrime, and also primed all 
throughout study to remain vigilant to scams. The study explores various 
types of scam and its influence on students’ gender and age on perceived 
safety on susceptibility to phishing scams. Results show that contrary to 
public beliefs, none of these factors were associated with scam susceptibility 
and vulnerability rates of the participants. 
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1. INTRODUCTION 

The daily rise in the adoption of information and communication technology (ICT) devices vis-a-vis 
their usage over the Internet due to its ease of use, speed, accuracy, and portability among other features have 
also, in turn, birthed and continued to advance socially-engineered attacks, designed to evade detection, and 
poised to help attackers have access to user data. Thus, user trust-level over the adoption and adaptation of 
ICT devices in today’s digital transformation era, has become a global issue [1]. Digital transformation seeks 
to integrate technology into various facets of life-endeavors and to fundamentally change how we 
operate/deliver value-chain to clients. It proposes a culture change for businesses to constantly challenge, 
experiment, and get comfortable with failure. And as more users become connected to internet-based 
supports, it also opens them up to avenues of exploitation harnessed by adversaries via socially-engineered 
threats and attacks [2]. 

Socially-engineered attacks are an old paradigm that continues to steadily grow, with no end in 
sight. Its continued growth hinges on the human nature of trust instincts and insatiable wants that attacker 
ultimately exploits to steal user data. These attacks reveal how vulnerable a connected device is [3], as they 
are designed to exploit human errors and insatiable traits resulting from relationships and operations between 
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connected users. Thus, adversaries will continue to exploit its weakest links such as relations and human 
errors. A reason why socially-engineered attacks will continue to rise [4]. Common methods adopted by such 
attackers include (but are not limited to) phishing and spamming. These provide an attacker with an attractive 
entry point of contact to the victims’ compromised system and provide a pilot cum pivot point for attack 
spread cum propagation [5]. With such attacks targeted at Internet-connected user devices as well as with 
over 200-percent adoption of smartphones, many users have become susceptible, vulnerable targets as well as 
victims alongside the range of complications to work-related and business issues on the exposure of sensitive 
user-data to these attackers or adversaries [6]. 


2. LITERATURE REVIEW 
2.1. An overview of phishing 

Socially-engineered attacks use technical subterfuge to defraud a victim of their data by posing as a 
trusted identity. The messages (also called spam) involve harmless advertising via unsolicited emails, SMS, 
or network messages, and contain mechanisms to exploit recipient data [7], [8]. The adoption of spam is due 
to its low-volume-and-high-value target successes, and distribution ease [9]. Spams today, has an estimated 
daily volume of over 612-billion [4], which makes up over 85% of the daily global traffic used by spammers 
on potentially, vulnerable recipients' databank with ineffective countermeasures to defend themselves against 
such evolving attacks [10]—[12]. 

Phishing uses multiple means such as spoofed emails, weblink forgeries, phone calls, man-in-middle 
chat, and covert redirect, to convince a user to divulge confidential data or indulge in fraudulent transactions. 
An effective and favored variant of phishing is spear phishing. It uses targeted mail with access links to 
cleverly persuade potential victims, and redirect them to spoofed websites containing malware that aim to 
compromise user data. Another variant is SMS-phishing (or Smishing), which tricks a user into downloading 
malware onto his cellular phone or other mobile devices [13]. Most phishing redirects user traffic to a fake 
site, by either changing the host's file on a victim's device or by exploiting the vulnerability in the domain 
name service server software. Thus, it allows an adversary to install malware onto a user's device and 
redirects the user to a fraudulent site without their consent and/or knowledge [14]-[18]. 

Phishing involves an attacker redirecting a user’s access to malicious content shared from spoofed 
websites from a viewpoint that such sites are legitimate and trustworthy sources [19]. A typical phishing 
attack consists of 3-elements: lure, hook, and catch, and explained as thus [20]—[23]: i) lure message is 
received by the potential victim as originating from a legitimate source. Its reliability is strengthened via 
exploiting user curiosity, fear, and empathy, ii) a hook is the compromised link/attachment included in the 
message, and iii) the catch involves an attacker obtaining user private data. 

This may appear simple; But, the techniques and procedures constantly evolve, to reflect new social 
trends [24], that use new methods to bypass security, and evade detection [9]. Its continued spread over the 
internet has allowed attacks to vary in frequency and diversity, enhancing their likelihood of success [20]. 
Thus, phishing is often positioned as trusted entities seeking to defraud a victim (via mail, SMS, or instant 
network messages). Its characteristics include: i) message often makes unrealistic threats/demands via 
various forms of intimidation targeted at a user’s psych, ii) there is always a catch, iii) there are often missing 
data with spelling errors and poor grammar, iv) there is often a mismatch in URL (uniform resource locator) 
to redirect users to a faked website, and v) messages often demands sensitive, confidential user data [5]. 


2.2. Malicious web-contents 

With the internet advancing as an efficient and effective means of data sharing and dissemination, 
many adversaries have since begun to use the medium as a tool for the propagation of malicious content. 
Thus, access to malicious content over the Internet has also since become a multi-billion dollar challenge that 
continues to impact a variety of users daily [25], [26]. Despite the plethora of continued studies that sought to 
improve detection techniques using filtering and classification frameworks, more users continue to fall prey 
to such deceptive scams. This is attributed to the fact that websites are rippled with malware that presents 
themselves as unsolicited unsecured adverts and/or hides in third-party legitimate software [4], [27]. 

Hale et al. [27] further notes that many of these attacks today are targeted at mobile platform and 
users with over a million malicious files sent daily. Thus, malicious contents are so pervasive and barraged 
that some percentage eventually makes it to a user’s screen. However, they further posited that once on 
screen for a certain user, prevention and mitigation is no longer a question of technical measures; Rather, 
control is now ceded to the user. However, their level of suspicion, control of emotions, and awareness of 
these attack menaces become the critical components required to ascertain the success or failure of such 
attacks. Understanding the human emotions, personality traits, and behavior as factors and cues that drive 
success or failure includes the desire for immediate gain, the desire to help people, and the desire to be liked. 
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All of these suggest that certain individuals have ‘victim personality traits’ that make them more vulnerable 
as well as susceptible to scams [13], [28]; And such victims, may fall repeatedly to a scam. 


2.3. Classifying malicious contents 

Various research has begun to investigate how various aspects of psychology seek to compromise 
data, even with a plethora of cyber-security measures in place. One such concern is how the Internet is 
gradually replacing normal social activities as users now engage themselves with web content as tools to 
compensate for loneliness and social seclusion. Halevi et al. [29] used the 5-D traits to include: neuroticism, 
extroversion, [30], [31], and consciousness. It has been successfully used to model and observed students' 
responses to socially-engineered attacks vis-à-vis exploring their attitude before/after a phishing attack [6]. 

Hale et al. [32] used CyberTrust (a game-based simulated learning tool) with web content that 
sought to investigate how users perceived and trusted different types of content. They investigated the 
trustworthiness of contents by characterizing malicious content using a set of design factors grouped into 
sophistications (a feat that ensures difficulty in identifying malicious contents), and degradations (another 
feat that makes it easier to identify malicious contents). Thus, with such web contents there exists relevant 
lures and cues to persuade user trust with the set of design factors, which are linked to taxonomy elements, 
posied to ask users questions that sought to retrieve the existence of relevant lures and/or cues within the 
malicious content to aid grouping of these contents into structural classes. 

In furtherance, Hale et al. [27] used victimization parameters to characterize how such design 
factors impact both the structure of the content and the probability of how much content will victimize the 
user. The study sought to understand malicious web contents vis-à-vis its victimization potentials. Thus, with 
adequate training drafted to identify/remove gaps as well as improve user awareness/recognition of such 
malicious web content. They used 2-parameters namely: i) believability which identifies how sophistication 
increases the possibility that users will believe a message, and ii) insidiousness to measure the subtle, 
malicious potency of degradations, and how much they increase attack impact while remaining undetectable 
to users. 


3. MATERIAL AND METHOD 
3.1. Sample demographics 

A common feat that influences phishing/scam susceptibility is demographics (gender, age). Previous 
studies have identified users between the ages of 18-29 as the most susceptible vis-à-vis web content [33]— 
[35]; while female users between the ages of 24 to 42 were identified as being the most vulnerable [36], [37]. 
It has been suggested that young female adults are constantly engaged to boycott social seclusion which leads 
to addiction whereas, excessive online presence and dependence on social media content used are often 
relevant lures and cues for potential victimization by phishers [31], [38] and lead to the exposure of 
associates. Ojugo and Eboka [37] posit that age is linked to risky behavior, which increases the chances of 
these young (female) adults being phished as they have less education and caution for financial risk [1], [39]. 
Goel et al. [3] postulated that women are easier to entice to open phishing emails, but are equally as capable 
and proficient as men in detecting a deceptive message. We selected a total of four hundred and eighty (480) 
students from the southern region in Nigeria, who were recruited. 


3.2. Technical procedures for web-content classification 

The sophistication and degradation in [32] were coined as pointers for various lures/cues present in 
malicious content. Afterwards, the design factors were refined and mapped to taxonomy elements, 
categorized into user-perceivable feats commonly found in a phishing attack to include these 3-classes: the 
web content, its context, and its contract which is explained as: i) a web content seeks to classify elements of 
both textual and visual nature in a web content such as the appearance of a padlock icon on a html link to 
shows and indicate a secure site, and also describe features that describes also how the domain is structured, 
the use of URLs, e-mail attachment(s), greetings for an email, and signatures, ii) content context helps us 
classify taxonomy elements that includes structural use of a language and its tone, the nature of the grammar 
and spelling(s), and origin/intended recipient of a message, and iii) the contract groups and focus on the value 
proposition of a trust decision. Each element in each class includes whether a message asks for personally 
identifiable information or offers some benefit in return. We adapt Hale et al. [27] to classify web contents 
into sophistication and degradation as in Tables 1 and 2. Experiment lasted for 10-months, and all 
participants signed consent forms. 
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Table 1. Website malicious contents sophistication lures and cues 


ID Sophistication lures/cues 
S01 Use of legitimate logos on website 
S02 Duplicates the look and feel of legitimate website 
S03 Provides contextual or personal information 
S04 Legitimate links where malicious contents can be hidden 
S05 Provides a sense of previous trust 
S06 Mimics intercepted communication 
S07 Formal grammar and style in writing without typos 
S08 Uses official account usernames 
S09 Identifies a known group of recipients 
S10 Recognizes file types as downloads/attachments 


Table 1 identifies sophistication contents that are hard; Thus, complicate user trust decisions. It 
makes mapping of taxonomy in [17] (given the length constraints) to yield the sample list as thus: 
S07: free grammar and style in writing: uses generic greetings instead of receiver names 
- Context-Language-Tone-Professional 
S10: unrecognize file types as downloads/attachments: file extension is unknown 
- Content-URL Links-Obfuscated 


Table 2. Malicious content sophistication lures and cues for malicious websites 
ID Degradation lures and cues 

D01 Suspicious URL identifying the sender or site 
D02 Contains suspicious links and/or Pop-ups 
D03 Poor spelling and/or grammar issues 
D04 Uses odd greetings and/or catchy phrases 
D05 Contains unnecessary warning messages 
D06 Involves people posing as friends or acquaintances 
D07 Uses generic greetings instead of receiver names 
D08 References obscure products 
D09 Information or item prices too good to be true 
D10 Missing security designators, e.g. https padlock 
D11 Directly requests the input of personal data 
D12 Uses of iframes or overlays on legitimate sites 
D13 Contains survey requests with links 
D14 Appeals to an emotion, e.g., urgency and greed 
D15 Includes suspicious attachments in email 
D16 Missing links or buttons that should be present 
D17 Offers ambiguous access to a product 
D18 Continuous messages/posts of similar content from the same person 
D19 Unrecognized file types as download/attachments 


Table 2 are degradation samples that may be well-known to a user. Users, often associate these 
contents as potentially malicious. Leading examples to the degradation taxonomy are as: 
D05: contains unnecessary warning 
- Context-Language-Tone-Unnecessary 
D14: content appeals to user emotions such as greed, and time urgency 
- Context-Language-Tone-Professional 
D09: item price is too good to be true 
- Contract-Offer-Monetary-Products 


3.3. Retrieving malicious contents/data gathering 

When conducting such an experiment, it is important to ensure that contents retrieved are relevant to 
what might be seen in real scenarios. Thus, to gather crucial/relavant user e-mails, Gudkova et al. [6], Kornor 
and Nordvik [8] provides us with sample tailored, generic and spear-phishing emails collected from various 
participants’ account(s) as contents undetected by spam-filters. We retrieved contents phishing contents from 
phishtank site, a repository via which we extracted 25-newest phishing websites. We also collected posts 
from Facebook and Instagram accounts of participants using terms like “free cash”, “You have won”, “you 
were recommended” amongst other contents. Once gathered, degradation and sophistication were designed 
on each content. 

The degradation and sophistication of content attempts to lure participant to click on the link(s), 
which is a real scam situation have been compromised. All other spear phishing emails were created, and 
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varied from students to student based on personal user-data as available online. Some user-data could not be 
collected due to either the absence of social media presence for such users, and/or user restriction with their 
social media privacy settings. Also, accordingly, highly tailored emails were created only for students with 
adequate amounts of user data, and online presence cum information (N=25). 

The aim of the experiment is to understand how users make trust decisions, identify their 
deficiencies, and adapt training or awareness so as to prevent user victimization which may further leave 
their associates compromised (in this case, friends, and relatives). The experiment is presented as a mixture 
of normal and malicious content to simulate real-time interactions with an email client, web browser, and 
social network. The experiment follows a scene where a participant must respond to phishing and malicious 
insider tactics to keep them quite interested and engaged online (increased online presence). Simulation 
provides the participant with rich interaction capabilities that allow them to hover over links and attachments 
and see natural browser-like behavior. Figure 1 shows emails with links to social media posts and website 
content samples. Underlying each user interface (as seen in this sample mail) is a trust decision box that 
allows users to either trust (blue for accepting) or not trust (red for reject) using content-specific decisions. 


From: Industrial-Games <industrial.games @hrl.um> 
Subject: Selection for 2022 Participation 


Dearest, 

We are delighted to inform you of your nomination to this year’s Industrial Games — a yearly competition of students selected 
into teams from universities across Nigeria. It is an amazing feat for you to represent our citadel in the coming Session. This 
competition also serves as a means to travel to some parts of Africa and the World as the team qualifies. 


Please click on the Accept link — if you accept your nomination; Otherwise, you can click the Reject link to decline the offer. 
However, I have attached pictures from our last competition and trip for your viewing delight. Some pictures however will 
require access of $5 to view. Click the Picture link to view. 


Arnold Ojugo 
Director, FUPRE Industrial Games 


Figure 1. Sample malicious game email-1 content 


3.4. Web-content activity and correlation 

To correlate activity, students were asked what messages they uploaded online, the frequency of 
their uploading, the number of images posted, and their privacy settings. The survey uses self-reported data, 
and is back-checked for accuracy. We extracted personal data from participants. Value ’1’ is assigned to all 
elements posted that falls under the various taxonomy. These variables were all added together, so as to 
create the study’s web-content data. The log-value showing both the participant’s number of weekly online 
presence as well as the access to malicious web content, were collated. We compute updated variables via (1) 
[38], [40]. 


SNposts = 10919 (TotalEntry + 0.001) (1) 
The same calculation was computed for the total number of access to sophistication and degradation 


classes content. Overall participant(s) data statistics are found in Table 3 describing the mean, standard 
deviation, and dyads (i.e. strength in the relationship between any two users for each participants). 


Table 3. Overall participant statistics 


N Dependent variables Mean Std +D; ELi No activity 
1 Data/Messages 12.7 0.94 0.89 0.21 14% 

2 Photos 441 0.87 0.89 0.10 18% 

3 Posts 15.9 0.42 0.43 0.19 22% 

4 __ Privacy settings 10.3 9.34 


We have that each participant's page builds up with a friend and possible acquaintances connection 
leading up to the personal network of such a participant, which in turn allows data such as photos, messages, 
and posts to be shared over such social networking sites. From Table 2, 14-to-22-percent of the participants 
do not post any data nor do they reply to or share messages, posts, and photos that appear on their social 
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network pages. The study also observed that the privacy settings average was in the middle range of 10.3 out- 
of-40, where 0 is the most conservative [41], [42]. 


3.5. Study hypothesis 
Previous studies have successfully shown that some factors are responsible for phishing 


susceptibility of users as well as vulnerability of client devices. These have been attributed to personality 

traits, malicious media contents, online presence, and demographics. In furtherance to these, we wish to 

investigate other critical factors and features as thus: 

- Hy: age factor results in lesser awareness of sophistication and degradation as well as training of 
malicious content classification higher vulnerability, and allow students to share private data online 

- Hb: students’ complacency with privacy settings in accessing sophistication and degradation content over 
social media leaves them vulnerable as scam victims. 


4. RESULTS AND DISCUSSIONS 
4.1. Resultant hypothesis 

Our study seeks to find the probability distribution and correlation for the hypothesis therein stated. 
Hı: age factor results in lesser awareness of sophistication and degradation as well as training of malicious 
content classification higher vulnerability, and allow students to share private data onlinen. Evaluating the 
first hypothesis as to the increase in scam vulnerability as the mails became increasingly tailored to the 
participants and spear-phishing, we used Wilcoxon signed-rank test. The results therein, revealed no 
significant differences in scam susceptibility between generic and tailored scams (Z=-.546, p=.585), tailored 
and spear phish scams (Z=.000, p=1.00), or generic and spear phish scams (Z=-.646, p=.518), as thus, the 
hypothesis was not supported. Going further, we sought to assess if the rate of these participants’ 
susceptibility to scams was associated with gender as well as age/status using Fisher’s Exact Test (see Figure 
2 and 3 respectively) with p=.57. Result showed that there is no significant differences in gender and other 
traits, as being the reason for their susceptibility and vulnerable rates to scams. 
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Figure 2. Cues for students scammed by gender 
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Figure 3. Cues for students scam by Age/Status 
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H2: participants’ complacency with privacy settings in accessing sophistication and degradation 
content over social media leaves them vulnerable as scam victims. Figure 4 shows that overall result appears 
to have no trend in the relation between the type of phishing or scam used and the susceptibility of the 
victims. In furtherance, results shows that many of the participants were most susceptible to the phishing 
email (scam) with the heading “Mailbox Full”, “Update Mailbox” and “Update Mailbox Capacity” (i.e. 
generic scams). Figure 5 shows that participants trusted the phishing mail (and were also found to be) 
susceptible to the mail with the tag “Semester Result”. These, were phishing attacks tailored to specific 
participants’ via their institution mail. This is in agreement with [43], [44]. 


Students Online Presence 
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Figure 4. Students who clicked Trust on social network 
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Figure 5. Students who click Trust on email 


4.2. Discussion of findings 

This study was designed to assess the rate of susceptibility and vulnerability among undergraduates 
in selected universities in Nigeria. At the heart of this study, was the interest in how to scam type and campus 
demographics influenced susceptibility rates among students. Though, relevant literature(s) suggests that 
scam susceptibility may be influenced by the level of specificity in a scam. That is, users are more likely 
deceived by scams, tailored to their circumstances (spear-phishing) compared to those with generic-content. 
Also, other variables have been flagged as potential contributors to scam susceptibility (includes but not 
limited to) gender, age, and status. Broadhurst et al. [45] agree with these and state that besides these, other 
variables including the level of cybercrime awareness, IT competence, and gender are also flagged as 
potential contributors therein. 

To explore these possibilities, participants were exposed to social engineering directives in the form 
of fake email attacks that attempted to either elicit personal data from participants or compel them to click 
links that could contain malware in the real world. In addition, to determine these participants’ rate of 
susceptibility to tailored and spear phishing attacks rather than generic attacks, email content was engineered 
to replicate these three (3) scams types (generic, tailored, and spear phishing) with the concept of lure, hook 
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and capture. These scam types differed in their level of personal relevance (specificity) to each of the 
participants [14]. 

Results showed no relations between participants’ susceptibility and scam types as participants were 
not found to be more susceptible to any particular phishing attack. However, email content that deceived 
most participants, provided insight into scam types that may succeed. And, the most successful attack were 
students’ updated mailbox. This email’s success was due to its being sent during the first/second semester 
exams for 2019/2020 session. With these, we proffer 3-likely explanations namely: i) that due to the 
upcoming exams, portal info as regularly sent to the student's mailbox gave this mail high relevance, ii) 
exams are critical matter, and thus, became a panacea for the increased susceptibility, and iii) exams 
generally instill fear in students and this mail’s urgent requirement for participants to take action and ensure 
that with the receipt of the mails therein, they are aware of the when and where their exams were to take 
place. These among others, we posit are reasons that may have compelled participants to click on the link. 


5. CONCLUSION 

We believe in general that the success of a fake scam can be richly attributed to a combination of 
personal relevance and fear. This indicates that individuals in the real world may be more susceptible to 
scams that tap into salient life circumstances and instill a sense of fear and urgency. The ever-increasing 
magnitude and impact of phishing have necessitated studies on minimizing attacks among students and the 
broader public. Also, understanding factors that influence susceptibility will help users to protect themselves 
against phishing and other forms of cybercrime. Also, tackling the many complex events linked to 
‘cybercrime’ requires effective training and campaign among undergraduates and the general public as well 
as require methods of attaining knowledge via processes that sought to explore ways to observe victimization 
in a real-world setting. 
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